Apache JMeter RMI Code Execution PoC (CVE-2018-1297)

Recently, I read about a remote code execution (RCE) vulnerability; CVE-2018-1297, that affects yet another Apache product – JMeter. As you might know, “The Apache JMeter™ application is open source software, a 100% pure Java application designed to load test functional behavior and measure performance.” The CVE Mitre page does not mention a lot of details, mentioning just that – When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. However, the announces mailing list gave out some more information. With that information, I tired to see if I could create a proof-of-concept code for CVE-2018-1297.

But before we do that, let’s get to know a bit about Java Remote Method Invocation (Java RMI). Java RMI allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine on different host. It provides for remote communication between programs written in the Java programming language. You know where this is going right? By default, it runs on the 1099/TCP port.

I re-read the mailing list for the version, and downloaded a couple of versions of Apache JMeter from it’s archive page. On un-compressing the archive, I read through the jmeter-server file and executed the jmeter-server.bat batch file.

As far as mitigating this vulnerability, it is suggested that you upgrade your Java installation to Java 8 or Java 9 and download the latest Apache JMeter 4.0 version and use the default enabled authenticated SSL RMI connection.

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!